<?php
class StopAttack{
    //get拦截规则
    public $getfilter = "\\<.+javascript:window\\[.{1}\\\\x|<.*=(&#\\d+?;?)+?>|<.*(data|src)=data:text\\/html.*>|\\b(alert\\(|confirm\\(|expression\\(|prompt\\(|benchmark\s*?\(.*\)|sleep\s*?\(.*\)|\\b(group_)?concat[\\s\\/\\*]*?\\([^\\)]+?\\)|\bcase[\s\/\*]*?when[\s\/\*]*?\([^\)]+?\)|load_file\s*?\\()|<[a-z]+?\\b[^>]*?\\bon([a-z]{4,})\s*?=|^\\+\\/v(8|9)|\\b(and|or)\\b\\s*?([\\(\\)'\"\\d]+?=[\\(\\)'\"\\d]+?|[\\(\\)'\"a-zA-Z]+?=[\\(\\)'\"a-zA-Z]+?|>|<|\s+?[\\w]+?\\s+?\\bin\\b\\s*?\(|\\blike\\b\\s+?[\"'])|\\/\\*.*\\*\\/|<\\s*script\\b|\\bEXEC\\b|UNION.+?SELECT\s*(\(.+\)\s*|@{1,2}.+?\s*|\s+?.+?|(`|'|\").*?(`|'|\")\s*)|UPDATE\s*(\(.+\)\s*|@{1,2}.+?\s*|\s+?.+?|(`|'|\").*?(`|'|\")\s*)SET|INSERT\\s+INTO.+?VALUES|(SELECT|DELETE)@{0,2}(\\(.+\\)|\\s+?.+?\\s+?|(`|'|\").*?(`|'|\"))FROM(\\(.+\\)|\\s+?.+?|(`|'|\").*?(`|'|\"))|(CREATE|ALTER|DROP|TRUNCATE)\\s+(TABLE|DATABASE)";
    //post拦截规则
    public $postfilter = "<.*=(&#\\d+?;?)+?>|<.*data=data:text\\/html.*>|\\b(alert\\(|confirm\\(|expression\\(|prompt\\(|benchmark\s*?\(.*\)|sleep\s*?\(.*\)|\\b(group_)?concat[\\s\\/\\*]*?\\([^\\)]+?\\)|\bcase[\s\/\*]*?when[\s\/\*]*?\([^\)]+?\)|load_file\s*?\\()|<[^>]*?\\b(onerror|onmousemove|onload|onclick|onmouseover)\\b|\\b(and|or)\\b\\s*?([\\(\\)'\"\\d]+?=[\\(\\)'\"\\d]+?|[\\(\\)'\"a-zA-Z]+?=[\\(\\)'\"a-zA-Z]+?|>|<|\s+?[\\w]+?\\s+?\\bin\\b\\s*?\(|\\blike\\b\\s+?[\"'])|\\/\\*.*\\*\\/|<\\s*script\\b|\\bEXEC\\b|UNION.+?SELECT\s*(\(.+\)\s*|@{1,2}.+?\s*|\s+?.+?|(`|'|\").*?(`|'|\")\s*)|UPDATE\s*(\(.+\)\s*|@{1,2}.+?\s*|\s+?.+?|(`|'|\").*?(`|'|\")\s*)SET|INSERT\\s+INTO.+?VALUES|(SELECT|DELETE)(\\(.+\\)|\\s+?.+?\\s+?|(`|'|\").*?(`|'|\"))FROM(\\(.+\\)|\\s+?.+?|(`|'|\").*?(`|'|\"))|(CREATE|ALTER|DROP|TRUNCATE)\\s+(TABLE|DATABASE)";
    //cookie拦截规则
    public $cookiefilter = "benchmark\s*?\(.*\)|sleep\s*?\(.*\)|load_file\s*?\\(|\\b(and|or)\\b\\s*?([\\(\\)'\"\\d]+?=[\\(\\)'\"\\d]+?|[\\(\\)'\"a-zA-Z]+?=[\\(\\)'\"a-zA-Z]+?|>|<|\s+?[\\w]+?\\s+?\\bin\\b\\s*?\(|\\blike\\b\\s+?[\"'])|\\/\\*.*\\*\\/|<\\s*script\\b|\\bEXEC\\b|UNION.+?SELECT\s*(\(.+\)\s*|@{1,2}.+?\s*|\s+?.+?|(`|'|\").*?(`|'|\")\s*)|UPDATE\s*(\(.+\)\s*|@{1,2}.+?\s*|\s+?.+?|(`|'|\").*?(`|'|\")\s*)SET|INSERT\\s+INTO.+?VALUES|(SELECT|DELETE)@{0,2}(\\(.+\\)|\\s+?.+?\\s+?|(`|'|\").*?(`|'|\"))FROM(\\(.+\\)|\\s+?.+?|(`|'|\").*?(`|'|\"))|(CREATE|ALTER|DROP|TRUNCATE)\\s+(TABLE|DATABASE)";
    
    /**
     *  攻击检查拦截
     */
    private function webscan_StopAttack($StrFiltKey,$StrFiltValue,$ArrFiltReq,$method) {
        $StrFiltValue=$this->webscan_arr_foreach($StrFiltValue);
        if (preg_match("/".$ArrFiltReq."/is",$StrFiltValue)==1){
            $this->webscan_slog(array('ip' => $_SERVER["REMOTE_ADDR"],'time'=>strftime("%Y-%m-%d %H:%M:%S"),'page'=>$_SERVER["PHP_SELF"],'method'=>$method,'rkey'=>$StrFiltKey,'rdata'=>$StrFiltValue,'user_agent'=>$_SERVER['HTTP_USER_AGENT'],'request_url'=>$_SERVER["REQUEST_URI"]));
            $this->webscan_pape();
        }
        if (preg_match("/".$ArrFiltReq."/is",$StrFiltKey)==1){
            $this->webscan_slog(array('ip' => $_SERVER["REMOTE_ADDR"],'time'=>strftime("%Y-%m-%d %H:%M:%S"),'page'=>$_SERVER["PHP_SELF"],'method'=>$method,'rkey'=>$StrFiltKey,'rdata'=>$StrFiltKey,'user_agent'=>$_SERVER['HTTP_USER_AGENT'],'request_url'=>$_SERVER["REQUEST_URI"]));
            $this->webscan_pape();
        }
    
    }
    
    /**
     *  参数拆分
     */
    public function webscan_arr_foreach($arr) {
        static $str;
        static $keystr;
        if (!is_array($arr)) {
            return $arr;
        }
        foreach ($arr as $key => $val ) {
            $keystr=$keystr.$key;
            if (is_array($val)) {
    
                $this->webscan_arr_foreach($val);
            } else {
    
                $str[] = $val.$keystr;
            }
        }
        return implode($str);
    }
    
    /**
     *  防护提示页
     */
    private  function webscan_pape(){
        if(IS_AJAX){
            exit(json_encode(array('status'=>'n','info'=>'输入内容存在非法字符，已被拦截！')));
        }else{
            $pape=<<<HTML
    <!DOCTYPE html>
    <html>
    <head>
    <title>漏洞监测系统</title>
    <meta charset="utf-8">
    <meta name="author" content="LuckyMoke" />
    <style>body, h1, h2, p,dl,dd,dt{margin: 0;padding: 0;font-family: "Segoe UI","Lucida Grande",Helvetica,Arial,"Microsoft YaHei",FreeSans,Arimo,"Droid Sans","wenquanyi micro hei","Hiragino Sans GB","Hiragino Sans GB W3",FontAwesome,sans-serif;}body{background:#efefef;}.ip-attack{text-align: center;width: 60%;margin: 0 auto;padding: 50px;margin-top: 100px;background: #fff;}.ip-attack .tips{font-size: 30px;margin-bottom: 50px;color: #797979;}.ip-attack a{background: #5eb95e;padding: 10px 20px;color: #fff;text-decoration: none;}.ip-attack a:hover{background: #4aaa4a;}</style>
    </head>
    <body>
    <div class="ip-attack">
      <p class="tips">输入内容存在危险字符，已被本站拦截！</p>
      <a href="javascript:history.go(-1)">返回上一页</a></dt>
    </div>
    </body>
    </html>
HTML;
            echo $pape;
        }
        exit;
    }
    /**
     *  拦截目录白名单
     */
    function webscan_white($webscan_white_name,$webscan_white_url=array()) {
        $url_path=$_SERVER['SCRIPT_NAME'];
        //拼接获取
        foreach($_GET as $key=>$value){
            $url_var.=$key."=".$value."&";
        }
    
        if (preg_match("/".$webscan_white_name."/is",$url_path)==1&&!empty($webscan_white_name)) {
            return false;
        }
        foreach ($webscan_white_url as $key => $value) {
            if(!empty($url_var)&&!empty($value)){
                if (stristr($url_path,$key)&&stristr($url_var,$value)) {
                    return false;
                }
            }
            elseif (empty($url_var)&&empty($value)) {
                if (stristr($url_path,$key)) {
                    return false;
                }
            }
    
        }
    
        return true;
    }
}